On Tuesday, August 5, 2014 9:20:10 AM UTC-4, dan (ddpbsd) wrote: > > On Tue, Aug 5, 2014 at 8:54 AM, Tim Boyer <[email protected] <javascript:>> > wrote: > > > > > > On Tuesday, August 5, 2014 7:40:10 AM UTC-4, dan (ddpbsd) wrote: > >> > >> On Mon, Aug 4, 2014 at 8:05 PM, Tim Boyer <[email protected]> wrote: > >> > > >> > > >> > On Monday, August 4, 2014 11:18:26 AM UTC-4, dan (ddpbsd) wrote: > >> >> > >> >> On Mon, Aug 4, 2014 at 10:56 AM, Tim Boyer <[email protected]> > wrote: > >> >> > > >> >> > On Monday, August 4, 2014 9:30:26 AM UTC-4, dan (ddpbsd) wrote: > >> >> >> > >> >> >> Is there anything useful in ossec.log related to this? Can you > >> >> >> reproduce this on a recent version of OSSEC? > >> >> >> > >> >> >> > >> >> > > >> >> > Nothing helpful. Only difference between this startup and a > normal > >> >> > startup > >> >> > is > >> >> > > >> >> > 2014/08/04 10:51:48 ossec-syscheckd(1210): ERROR: Queue > >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection > refused'. > >> >> > 2014/08/04 10:51:48 ossec-rootcheck(1210): ERROR: Queue > >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection > refused'. > >> >> > > >> >> > >> >> Nothing before this? These are a symptom of a failure somewhere. > >> >> > >> >> I just tried adding 30ish rules with srcip and didn't have any > issues. > >> >> I'm running post 2.8, and I don't have your exact setup, so this may > >> >> prove nothing. > >> >> > >> >> > Looks like it's time to move to 2.8. Let me see what it will > take. > >> >> > Thanks... > >> >> > > >> >> > >> > > >> > Dang. Spoke too soon. It worked only because ossec.conf got > >> > overwritten > >> > during the upgrade, and didn't include local_nessus_rules.xml in the > >> > rule > >> > list. Put it in, and same problem. > >> > > >> > Next step: save everything; completely remove ossec; install 2.8 > fresh. > >> > Same problem. > >> > > >> > I suspect a timing problem. log says: > >> > > >> > 2014/08/04 19:53:01 ossec-analysisd: INFO: Reading rules file: > >> > 'attack_rules.xml' > >> > 2014/08/04 19:53:01 ossec-analysisd: INFO: Reading rules file: > >> > 'local_rules.xml' > >> > 2014/08/04 19:53:01 ossec-remoted: INFO: Started (pid: 15507). > >> > 2014/08/04 19:53:01 ossec-remoted: INFO: Started (pid: 15508). > >> > 2014/08/04 19:53:01 ossec-rootcheck: System audit file not > configured. > >> > 2014/08/04 19:53:01 ossec-analysisd: INFO: Reading rules file: > >> > 'local_nessus_rules.xml' > >> > > >> > and I think that analysisd is still reading while other things are > >> > starting. > >> > But no idea how to prove or fix. > >> > > >> > >> I don't really know what that means. > >> Can you provide your ossec.conf and local_nessus_rules.xml? > >> > >> ossec.conf: > > > > > > Thank you. Putting the local_nessus_rules.xml file in place seems to > make ossec-logtest loop through the rules over and over. > > I get (from ossec-logtest -tvd): > LOTS OF OUTPUT > 2014/08/05 09:13:17 9 : rule:105038, level 0, timeout: 0 > 2014/08/05 09:13:17 8 : rule:105033, level 0, timeout: 0 > 2014/08/05 09:13:17 9 : rule:105034, level 0, timeout: 0 > 2014/08/05 09:13:17 10 : rule:105036, level 0, timeout: 0 > 2014/08/05 09:13:17 11 : rule:105038, level 0, timeout: 0 > 2014/08/05 09:13:17 10 : rule:105038, level 0, timeout: 0 > 2014/08/05 09:13:17 9 : rule:105036, level 0, timeout: 0 > 2014/08/05 09:13:17 10 : rule:105038, level 0, timeout: 0 > 2014/08/05 09:13:17 9 : rule:105038, level 0, timeout: 0 > 2014/08/05 09:13:17 8 : rule:105034, level 0, timeout: 0 > 2014/08/05 09:13:17 9 : rule:105036, level 0, timeout: 0 > 2014/08/05 09:13:17 10 : rule:105038, level 0, timeout: 0 > 2014/08/05 09:13:17 9 : rule:105038, level 0, timeout: 0 > 2014/08/05 09:13:17 8 : rule:105036, level 0, timeout: 0 > 2014/08/05 09:13:17 9 : rule:105038, level 0, timeout: 0 > 2014/08/05 09:13:17 8 : rule:105038, level 0, timeout: 0 > 2014/08/05 09:13:17 7 : rule:105032, level 0, timeout: 0 > > I'm not sure where to start with this off hand, but that's where it's at > so far. > > > Hey, I'm just overjoyed that it's not something obviously stupid I'm doing. :)
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
